Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Microsoft Internet Explorer Security Software Windows News

Security Firm VUPEN Claims To Have Hacked Windows 8 and IE10 118

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "Windows 8 was released late last week, and already this week French security firm VUPEN says it has broken Microsoft's latest and greatest security features. The company claims it has developed a 0-day exploit for Windows 8 and IE10, by chaining multiple undisclosed flaws together."
This discussion has been archived. No new comments can be posted.

Security Firm VUPEN Claims To Have Hacked Windows 8 and IE10

Comments Filter:
  • by TechyImmigrant (175943) on Thursday November 01, 2012 @06:39PM (#41848351) Journal

    I thought that little used operating systems were less vulnerable because fewer hackers would target them compared to popular, mass market operating systems such as Linux and MacOS.

    • by Shoten (260439) on Thursday November 01, 2012 @06:56PM (#41848497)

      Yes, but that effect covers casual attackers. When your attacker is well-resourced and determined to hack YOU...then it's not such a good thing, because they're willing to find the specific vulnerabilities in an obscure OS or application. Microsoft Windows gets pretty well wrung-out because of all the attention. For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched. But if a nation-state actor or large criminal organization had a reason to hack OSX, they probably would have looked for (and found) some 0-days on their own, then leveraged them.

      • by Desler (1608317)

        For a long time, OSX was full of vulnerabilities until they started to get enough market share to become a good target. Then the flaws started getting detected and patched.

        You mean programs like Java and Flash were full of vulnerabilities. Also, people manually installing trojans on their system is not an OS vulnerability. Care to share these "vulnerabilities" that weren't in third-party software or malware that users were installing themselves? Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

        • by tlhIngan (30335)

          Please post any examples of drive-by malware downloads, etc. that were actually OS flaws.

          Safari has/had nasty bugs that took advantage of the "auto-open safe files" default setting, which I think counts as they're distributed by the same vendor as the OS and it comes preinstalled.

          I think QuickTime is similar as well a few malicious MOV files can get you hooped.

          Bunches of flaws in the open-source software it comes with as well (though we usually attribute that to the software on Linux, and to OS X on OS X. S

    • I guess plenty of Slashdot discussions still revolve around the "reputations" these two OS types established at the start of the millenium. It's nice for a joke or two, or for some clueless fanboy to rant about. But the latest Windows and Linux releases are roughly at the same level of in/security and difficulty/ease of use, bar things like misbehaving user pograms and unsupported hardware. The moral here maybe that if you're starting a new software product you have to put equal attention into these two thi

      • The moral here maybe that if you're starting a new software product you have to put equal attention into these two things.

        Software? I design cryptographic hardware for a living you insensitive clod!

      • by Anonymous Coward

        Bull [cough] Shill [cough] Shit

      • I expect those fanboys to run Windows 8s = Windows Aids and search for bugs and vulnerabilities. Actually, I never had a virus with Linux, and my drupal server was only once compromised. The reason I like windows is that third party apps just work, the reason why I use Linux is the shell and multiple desktops. I mostly need Firefox and Thunderbird and Irssi, that is all.
    • by mevets (322601)

      MicroSoft released a pretty decent surface.

      crickets..

  • I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

    • by Anonymous Coward
      You can side-load apps on RT. ;)
      • Really? How? Because even Microsoft's own website doesn't say that. You can only side-load things if you have a proper license for that, meaning that you need to be a large company with a contract with Microsoft.

        • Re:Windows RT? (Score:5, Informative)

          by Gaygirlie (1657131) <gaygirlieNO@SPAMhotmail.com> on Thursday November 01, 2012 @07:09PM (#41848627) Homepage

          To back up what I just said: http://msdn.microsoft.com/en-us/library/windows/hardware/hh825613.aspx [microsoft.com]

          [August 2012] Sideloading apps on Windows 8

          Sideloading is supported on the following editions when you activate a sideloading product key:

                  Windows 8 Pro

                  Windows 8 Enterprise*

          * The sideloading product key is not required with Windows 8 Enterprise when the computer is joined to an active directory domain.

          noteNote
          Sideloading is also supported on Windows RT. The group policy service is not enabled by default on Windows RT. You must enable the service before policies can be applied to the computer.

          To sideload line-of-business apps on Windows Server 2012, the computer must be joined to an active directory domain.

          For more information, see How to Add and Remove Apps.

          In other words a side-loading key is needed. Ordinary users won't get that and won't be able to side-load.

          • Re:Windows RT? (Score:5, Informative)

            by cbhacking (979169) <been_out_cruisin ... OLo.com minus la> on Thursday November 01, 2012 @08:50PM (#41849351) Homepage Journal

            Actually, getting a sideloading key is dead easy. You have to run Powershell as Admin, then type Show-WindowsDeveloperLicenseRegistration (or just "show-wi" and hit Tab). Enter Windows Live credentials - anything, including a throw-away account created for the purpose, will work - and boom, you are unlocked for sideloading. Works on Windows 8 (Pro, Enterprise, or otherwise) and on Windows RT (tested it on a Surface).

            http://msdn.microsoft.com/en-us/library/windows/apps/Hh974578.aspx [microsoft.com]

            I don't know what's up with that old data that says you can't. That's been bouncing around for almost a year, and as far as I can tell it was *never* true, even on pre-release versions. You've been able to unlock Win8 for sideloading since the first preview builds came out! It's as though there's two completely different teams talking about this. Well, three (the one that says *only* Store apps are allowed) but the last one is the marketing team trying to keep the n00bs from getting confused; they are safely ignorable. Fortunately, the team that supports the more open approach is the one that is correct.

            • Re:Windows RT? (Score:5, Interesting)

              by Microlith (54737) on Thursday November 01, 2012 @09:42PM (#41849637)

              Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system. It's more akin to Apple's extreme restrictions on side loading than Android's 3rd party sources checkbox. The only difference is that Microsoft isn't charging you $99 to get one. You're still at Microsoft's mercy, and no one can use your application unless they too are capable of repeating the steps.

              I don't know why people keep defending this. It's designed explicitly to inhibit people from using it and bypassing the store.

              • by westlake (615356)

                Yes, you can go through a ridiculously complex process to install a key that will expire and Microsoft can revoke so that you can run some software on your system.

                Let's be honest here:

                The geek sideloads.

                The convenience and security of the app store and the apps sideloaded by their school, employer, etc., trumps all other considerations for others. How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

                Install Visual Studio Express and the recreational or student programmer can renew his key in one or two clicks.

                • by graphius (907855)

                  How many casual Linux users install apps that haven't been packaged and "marketed" for their distribution?

                  First, "casual Linux" LOL
                  second, Many linux users use apps outside their distro. have you ever heard of a program called make?
                  Ubuntu specifically created ppa's to allow 3rd party programs.
                  Fedora used to be famous for dependency hell, where required programs or libraries were not available in the repository....

                  yeah, let's be honest here....

                  • by cbhacking (979169)

                    There are certainly casual Linux users. Not terribly many, compared to other desktop OSes, but they exist. I've had to do tech support for a few of them.

                    Anybody who can install the build tools (for those silly distros which don't include them) and run

                    tar xzf [tarball] && cd [folder] && ./configure && make && sudo make install

                    on Linux can handle the process to sideload on Win8 just fine, which is what this thread is about. As you (rightly) point out; plenty of people do it.

                    • by graphius (907855)

                      I agree with what you are saying, although I still feel most Linux users are in the top percentile of computer competence. Linux tends to encourage learning and knowledge (except for the newer Ubuntu releases....:~), while OSX, and especially Windows tends to discourage the same...

                      Android is a different beast. I would say that most people do not use their phones as computers, but as the infamous "consumption devices". They are appliances.

                      As for Win8-RT? It seems to be a bit of an unknown. Some people are sa

            • by Cowmonaut (989226)

              Alright, throwing away mod points but you are completely dead wrong. You clearly do not understand how sideloading works in Windows 8.

              Per Microsoft, sideloading is installing an app without the Store. With Windows 8 you have to have two things in order to sideload an app:

              1. You need either the fully packed installer (which you cannot apparently save on your computer and can only download through the Windows Store app proper; going to the Windows Store page in a web browser doesn't give you any options to

              • by cbhacking (979169)

                I'm terribly sorry about your mod points. Hopefully, in the interest of them not being completely wasted, you'll learn something:

                I'm right, and I know because I've done it. How much experience with Win8 / Windows RT sideloading do you have? I'm guessing moinimal to none, because (to use your own words) "you clearly do not understand how sideloading works on Windows 8." Or rather, you may understand how APPX provisioning into an install image works, but you have no clue about how sideloading (in the sense th

          • by Rexdude (747457)

            I don't get it, does this refer to Metro apps? I upgraded Win 7 Ultimate to Win 8 Pro on my desktop, and it hasn't affected my ability to install regular windows applications at all. In fact, I use Classic Shell to bring back the old start menu and I don't use the Metro UI at all.

      • Re:Windows RT? (Score:4, Insightful)

        by tuppe666 (904118) on Thursday November 01, 2012 @07:06PM (#41848599)

        Windows RT is going to be hell its hard to find actuate reliable information about anything. From wikipedia http://en.wikipedia.org/wiki/Windows_RT [wikipedia.org] it claims.

        "Perhaps the biggest change is that Windows RT will only run applications that have been included in Microsoft's App store. This requires certification by Microsoft that they consider the application to be suitable."

        and obviously

        "Users will not have an option to disable UEFI secure boot on Windows RT systems. As a result, only operating systems that have been signed for secure boot by their developers can be installed"

    • Re:Windows RT? (Score:4, Insightful)

      by tuppe666 (904118) on Thursday November 01, 2012 @06:58PM (#41848519)

      I wonder if their hack could be used on Windows RT to gain low-level access to the system, allowing one to essentially jailbreak the thing and let one side-load apps on it. I'm not planning to buy a Windows RT - tablet and one of the reasons is exactly the fact that I am only allowed to install stuff from Windows Store; a fully-working jailbreak would atleast make the thing slightly more useful.

      Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

      • I did say I'm not planning to buy one, so you're barking up the wrong tree.

      • Re: (Score:1, Insightful)

        by Jaktar (975138)

        Why buy a closed device, when open devices like Googles Chromebook which is available cheaper and isn't locked. Excusing manufacturers for their abuse behaviour...and giving them money, never persuaded, and manufacturer to be more open.

        Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet. The grass isn't always greener on the other side of the fence. The only difference between the grass is that different dogs shit on either side. I've flashed many different ROMs to my Kindle, I've owned a Playbook, I have a Linux netbook. Pretty much every OS sucks in it's own special way. If the only thing that sucks about Wi

        • Re:Windows RT? (Score:5, Informative)

          by tuppe666 (904118) on Thursday November 01, 2012 @08:02PM (#41849007)

          I'm sorry to disagree with you. Clearly you have an issue with Google. It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space. They are advertisers just like Apple and Microsoft.

          On the point of privacy. Clearly you have not installed Windows 8. Its defaults are appalling, and your being insincere in implying Microsoft is better.

          The bottom line though is I personally would like a device where I can choose to install whatever OS. The reason being I personally quite like the look of the oversized trackpad on Chomebook , and the ability to install Debien, and it beong Good Value, all three features lacking on windows rt devices.

          • by Jaktar (975138)

            This is straight from the Google privacy page:

            http://www.google.com/intl/en/policies/privacy/key-terms/#toc-terms-sensitive-info [google.com]

            Information we share

            We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances apply:

            With your consent

            We will share personal information with companies, organizations or individuals outside of Google when we have your consent to do so. We require opt-in consent for the sharing of any sensitive pe

          • by Raenex (947668)

            It is untrue that they sell your information. Their business model does not allow that. The whole point is they will *never* sell your information...they sell targeted AD space.

            Where "targeted AD space" is based on information all about you. Maybe they aren't reselling your name + information, but they sure are collecting it. Facebook requires real names, and Google has gone chasing after that policy, starting with Google+. Just the other day YouTube oh so helpfully wanted me to upgrade my account to my real name. I was able to decline it... for now.

        • Re:Windows RT? (Score:4, Insightful)

          by thoth (7907) on Thursday November 01, 2012 @08:49PM (#41849341) Journal

          Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet.

          So Microsoft has stated they will guarantee full privacy of your info that is stored in SkyDrive?

          If your going to pull the "grass isn't always greener" argument, then Microsoft still loses, as their device is more expensive, will everything else (their treatment of your data) the same.

        • Re: (Score:3, Insightful)

          by LordLucless (582312)

          Exchanging your control of the device for having every piece of information scanned, categorized, and resold by Google would be reason enough for someone to buy a Win RT tablet

          Well, gee, it's lucky Google doesn't scan, categorize and resell very piece of information on your device then, isn't it? FUD much?

          • by Anonymous Coward

            The only part of that statement that can be debated is "resold." But you can be damn sure the other verbs apply.

        • If the only thing that sucks about WinRT is that it's "closed", then I'll take one.

          Windows RT (WinRT is the new API, Windows RT is the new OS) is not "closed", it is closed, and that's not the only thing that sucks about it.

        • Re: (Score:3, Interesting)

          by pentadecagon (1926186)
          With Microsoft you have worse privacy than with Google. They collect at least the same amount of information, and because everything is closed you never know what else they transmit and collect.
  • by stillpixel (1575443) on Thursday November 01, 2012 @07:04PM (#41848567) Homepage Journal
    1. They bought Windows 8. 2. They Installed Windows 8. 3. They connected Windows 8 to the internet. 4. They surfed goatse with IE10.
    • +1 Insightful. The computer savvy of Windows users will always be its weakest point, purely because of it's the only interface for "I hate computers" people.
  • by koan (80826)

    Is what it must be like for malware authors when Microsoft releases a new OS.

  • Security generally advances through evolution, not revolution.After making significant advances in security from 3.1 to XP, Microsoft is all out of evolution and so they're just throwing in random shiny (and they've even run out of the semi-good stock of that).

    So new code just for the sake of it and is it any wonder bugs come along with it?

  • ... NOT. All the fuss about zero day exploits and the only people who ever use them are the ones who find them and the engineers who plug the holes. No big take-down of masses of people, no crippled companies, no nothing.
    • by BPPG (1181851)

      only people who ever use them are the ones who find them and the engineers who plug the holes.

      If people were going to use a 0day maliciously, then they wouldn't have announced it. In which case the engineers wouldn't be involved until after it was found in the wild.

      • by Anonymous Coward

        VUPEN isn't going to use the zero day maliciously. They're just going to sell it to the highest bidder. Because that's the company's business model.

  • The sad thing is they think anyone actually cares.

  • Even though I lack any surprise in this announcement, and would actually have been surprised if no 0-day had arisen within the first week after release, please kindly allow me to express, and excuse if it may sound a little childish, my first reaction:

    lol
  • Not shocked (Score:5, Informative)

    by ledow (319597) on Friday November 02, 2012 @06:01AM (#41851329) Homepage

    It took me nearly a day to get a "Active Directory Users and Computers" icon on my Windows 8 Pro VM.

    - First I have to download RSAT.
    - It errors with random hex-code when run.
    - Much googling (and no help in the MS KB) later, I find out it doesn't like being on a mapped shared drive (which is what VMWare uses for it's shared drive with the host).
    - Copy to C:\, run it.
    - It installs without error, but nothing happens after (nothing in Windows Features related to remote admin tools, no new icons).
    - Much googling (and no help in the MS KB) later, it turns out I don't have the en_US language installed and it won't work without it (despite the computer being en_GB!) but will just die silently.
    - Go to install language, get empty language lists.
    - Think they must be on the CD, so point it at the original CD image. Nope. Nothing useful.
    - Much googling (and no help in the MS KB) later, it turns out that because I'd disabled Windows Search, it totally stops the list of languages populating.
    - Enabled Windows Search.
    - Installed language.
    - Still no joy.
    - Much googling (and no help in the MS KB) later, it turns out that because I have disabled Automatic Updates, it won't actually download the language pack (or error, or tell you that, or anything).
    - Re-enabled, got the language pack (150Mb!)
    - Reinstalled the MSU
    - Finally get "Users and Computers".

    It doesn't shock me that in that mess of code there might be a security feature or two that's lax. I mean, seriously? Half the things had no error code or even message to say they weren't going to work or why and those that did provided zero useful information.

    - You can't install an MSU from a network-mapped drive (even if it appears as a mapped drive Z:!)
    - You can't install RSAT with only en_GB enabled.
    - You can't even see the languages available without Windows Search enabled (WTF?)
    - You can't install a language without Automatic Updates enabled (Again, WTF?)
    - You have to know all this to get Users & Computers working (which, if I remember rightly, is installed by default on most "Pro" versions of Windows or at worst was an Add/Remove Windows Feature kind of deal from the initial install disk).

    I'm not surprised, with that amount of cross-interaction between COMPLETELY unrelated components, complete lack of user feedback, and random interactions, that there's a few security problems cropping up.

    And that's not even the worst experience I've had with a clean Windows 8 VM image from an official Windows 8 ISO with a proper Windows 8 Pro Product Key. I actually managed to BSOD the VM within hours of install, not by even doing anything remotely interesting.

    • I feel your pain. Microsoft Dynamics CRM regularly throws up such gems as "An unknown error has occurred" which you then have to spend days trying to figure out via Google or in extreme cases disassembling the DLLs. Microsoft just seem totally averse to providing decent error messages or any documentation to suggest what caused the error message. I see the new blue screen doesn't have any "scary" useful information on it any more either.

    • by bertok (226922)

      I had a similar experience when I was asked to evaluate Hyper-V as a potential replacement for VMware ESX server. The installer failed because I didn't use the en-US keyboard.

      I laughed, didn't even bother trying to fix the problem, and told my boss that there's no way in hell we're trusting our infrastructure to a hypervisor that depends on the keyboard layout to function. That's a blatant sign of shoddy engineering.

      Here's another example for you: Windows Server 2008 R2 will not run a PowerShell script from

  • Security holes! In Windows!

    It's just like every other release from Microsoft then, bug ridden and insecure.

Never tell people how to do things. Tell them WHAT to do and they will surprise you with their ingenuity. -- Gen. George S. Patton, Jr.

Working...